Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Network-delivered open redirect needs no attacker auth (PR:N) but requires the victim to click (UI:R); token leakage across trust boundary yields S:C with C:H/I:H and no availability impact (A:N).
Primary rating from Vendor (microsoft).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionNVD
Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.
AnalysisAI
Privilege elevation in Microsoft 365 Copilot arises from an open redirect (CWE-601) that lets an unauthenticated remote attacker craft a Copilot-hosted URL that forwards a victim to an attacker-controlled site. Per the CVSS vector this requires the victim to interact (UI:R) with the malicious link and results in a scope change with high confidentiality and integrity impact, consistent with token/credential capture enabling elevated access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to induce a victim to click a specially crafted Microsoft 365 Copilot URL that abuses the vulnerable open-redirect parameter - the CVSS UI:R metric means user interaction is mandatory, which is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly aligned toward a genuine but interaction-gated risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a link to a legitimate Microsoft 365 Copilot endpoint that embeds an attacker-controlled redirect target, then delivers it to a target user via email, Teams, or a shared document. The victim, trusting the Microsoft-branded URL, clicks it (UI:R) and is silently forwarded to an attacker-controlled site that harvests authorization tokens or credentials, giving the attacker elevated access. … |
| Remediation | Patch available per vendor advisory - as a Microsoft-operated cloud service, the fix is applied server-side by Microsoft, so no customer-side upgrade action is generally required; confirm your tenant is current and consult the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41106 for any tenant-specific guidance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Microsoft 365 Copilot instances and user populations; confirm patch availability from Microsoft security advisories; notify stakeholders of the threat and patch timeline. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41445
GHSA-6xf4-794h-3f7w